Posted
by
Soulskillon Tuesday May 03, 2011 @08:14AM
from the over-100-million-served dept.

An anonymous reader writes with an update to yesterday morning's news that Sony Online Entertainment's game service was taken offline to investigate a potential data breach related to the PSN intrusion. SOE has now said that they too suffered a major theft of user data.
"... personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain."

Hey guys, let's keep around credit/debit card billing data from 2007 all online. Deleting it after 6 months of inactivity could hurt sales!11! There's no cost to keeping it around, nothing that would pass an accountant anyway. Let's pay ourselves a bonus for our forward thinking.

They could *easily* do that in a manner which did not allow for the data to be 'net accessible, and therefore exploitable or fairly easily stolen if their network system became compromised. They could have kept it on non-networked (or non-running) machines, external/removable digital storage, dead-tree hardcopies in a file drawer or stack of boxes... There's no need to have that sort of data instantly - or even very easily - available.

Not only that, but the relevant purchase information, even including the type of CC and the last 4 of the card number would be enough... it's not like businesses keep track of the serial numbers for every cash bill that crosses a register... It's simply a horrible concept. If they allowed for partial refunds, then keeping the information long enough for a refund, fine. If the have recurrent billing.. this should be a walled system (software tier, not just layer) that has a simple API for the front end sy

There's a number of websites, including Amazon.com, that have a crapload of old expired credit cards of mine on file. I don't care, they're expired and I'm too lazy to delete them. On the plus side, they also have all of my addresses from the past 10 years stored...which has actually been a life saver in the past when I couldn't remember an old address:p

Amazon does their due diligence in storing the numbers though. Payment information is tokenized in a separate service and not accessible on the network. Only one-way "please charge instrument with alias X Y amount of Z currency" requests go to a proxy service.

Er, the credit card number does not change when your card is renewed. Only the expiration date and the security number do. The expiry date can probably be worked out, and that just means they have to guess a 3 (or 4 depending on the company) digit security number.

I haven't played everquest since 2002 and I got a notice. Luckily for me all that credit card information is outdated and wrong. Event the mailing address is wrong. How someone was able to access this data is beyond me. I cannot, for any reason, think of any justification Sony could have to store something in a manner that a developer could access at this level.

Sony is going to have one hell of a class action lawsuit in it's hands.

Nothing except my name (and date of birth if they have that) is the same as in 2002. Heck I've moved countries and changed citizenship since then...

But a lawsuit is interesting from the perspective of required arbitration being ruled valid recently. If the EULA in question is that old, and you are no longer a subscriber would something like this now be covered by it?

Developers? no, that database was probably a backup somewhere inside some computer on the network, so the attacked managed to get shell inside PSN, and from there open other systems, included this database one.

Sony just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.

If you purchased a Sony product in such a way that they've got your credit card number, you're at risk, and it doesn't seem to matter since when; since the beginning of Sony on the Internet. Hopefully, those of you using Sony Online since the days of the Playstation (one), only have expired credit cards to worry about, but a

Sony just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.

Personally I'm more annoyed at the people that performed the hack than Sony. Granted Sony has lost what little company loyalty I had, I already stopped buying most of their products.

But in this case is the perpetrators that make me angry. It's one thing to screw with a company, it's another to screw with the average Joe that just wanted to play the latest Ratchet and Clank episode.

Name, address, birthdate, credit card number... that's more than enough for identity theft. Meaning not only do I need to tak

Corporate America just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.

If you purchased an American product in such a way that they've got your credit card number, you're at risk, and it doesn't seem to matter since when; since the beginning of the credit card. Hopefully, those of you using goods and services since the 1960s, only have expired credit cards to worry about, but anyon

I love the way corporations do this, just wait for a big news story (Osama's dead) and then start releasing the full extent of the disaster. The same principle worked for the cigarette companies. They were set to be torn apart of lying about the dangers of smoking and genetic modification to increase addiction, then along came 9/11 and all was forgetting. All you got to do is stonewall until a bigger problem comes along.

I keep hearing about intrusions that result in data theft, including credit card numbers, etc. Can someone tell me why on earth this information is being stored as plain-text and not as encrypted files? Unless of course the data is encrypted and the passphrases are stored in open-text files with a filename of "password_to_our_files.txt"

While I take no pleasure in the fact that people's financial data has been compromised, my intense dislike of Sony and its business practices is severely inhibiting my ability to wipe an evil little grin off my face.

After Sony's initial admission of the PSN breach, a lot of people pointed fingers of blame at the PS3 hackers without so much as a shred of evidence either way.

Now that it appears SOE was also penetrated at approximately the same time, I think it's fair to ask just where the penetration occurred, how much customer data was accessible across Sony's networks, and what (if any) internal safeguards were supposed to be in place. There could be multiple penetrations through several vulnerable points, but this looks even more coordinated and planned than initially suspected. If Sony hasn't investigated IT employees, it's time to start -- at minimum, someone has loose lips or careless behaviour. At worst, someone sold them out.

The fact you have not -given- money doesn't mean there is no money to be stolen from you. Only if you're so far in debt that the most dubious credit agency refuses to lend you money you can't be stolen from. Otherwise you may go day to day happily until debt collector knocks on your door with demand to pay the loan back - the loan you never took.

I've actually seen a surprisingly lack of "I told you so". I figured it would be every second comment at this point...

LOL! I'm with you there. I have a PS3, I plugged it into the net. Halfway through reading the Sony online licence agreement I unplugged it vowing never to plug it in again. I don't recall what it was that set me off exactly, it was years ago, but I haven't changed my mind.

A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.

A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.

While it makes *some* sense, I don't buy it.

My feeling is that this whole fiasco is hurting Sony's bottom line more than the whole hacker-awareness / scapegoat thing could even provide in the long-term.

They're losing a lot of customer trust and customer loyalty, and I have to assume this is hurting their stock price. Once is a shame, twice (so close together) is a disaster.

While it's true that companies probably want to shine a large spot-light on hackers, identity theft, etc there has to be some risk mana

A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.

While it makes *some* sense, I don't buy it.

Agreed. It just does not sound plausible. Sometimes it's fun to attribute stuff like this to some scheming corporate overlord, sometimes what appears to be poorly handled public relations nightmare is, in fact, a poorly handled public relations nightmare.

So our choices are, "It's those nasty, evil, hackers... taking advantage of Sony's (obviously) inadequate security"... or "It's Sony's (obviously) inadequate security... attracting those nasty, evil, hackers." Meh. Either way, Sony blew it, and doesn't deserve to be trusted anymore. We should have learned with the whole rootkit fiasco, but we do like our gaming... apparently more than our credit cards.

Interesting chart. Seems to me like the recent price drop is nothing atypical, though, just common market variation. Nothing like 2009 - that was something to be excited about. Actually, aside from a low here and there, Sony's stock price seems to have been increasing pretty steadily. I'd like to be wrong, though. Thank god I'm not a professional market analyst. Not that it would make my predictions any more trustworthy, of course - I just felt like expressing my joie de vivre.

A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.

You think the damage in their reputation, their online branding for SOE etc is worth this? If true they have some monumentally stupid people working for them.

I'm one of those who have been boycotting Sony since the rootkit fiasco but I'm not going to get preachy about it. For me, it's not some kind of crusade to get them to mend their ways or die, it's actually rather pure self-interest - I just know that they can't screw me over. I do wish a few more people would take note and Sony would mend their ways as a reaction. They used to be a decent company, their hardware was always top notch and I loved the PS1, it's just a bit sad to see them go down this route of profit above all.

Sony did mend their ways. After the rootkit fiasco for sure, but after most of the other bonehead moves as well. They apologized and promised to do better and all that, like they all do.

But, like they all do, over time the same forces that led them to this will lead them there again. Corporate structures being what they are it simply isn't possible to communicate an intangible risk like 'what if a hacker breaks in and copies all our data' well enough to garner the kind of funding to implement real security. At least not at a company the size of Sony. And certainly their users have proven that at every turn they are willing to sacrifice security for convenience and price and features. This site has a Sony gaffe poll on the front page, and the readership is better educated about tech issue than most, yet how many PS3s per capita do you think there are here?

So Sony has little motivation to really change and I doubt they are alone in having lax security.

I am looking forward to the show they will put on after this is over. Figure they will hire Bruce Scheiner and Theo DeRaadt. Fireworks. Maybe a hovercraft pulls up to Sony HQ and the team that took Bin Laden pours out, sets up a perimeter. Sony's CEO stomps onto the stage in a mecha and declares war on hackers. It is going to be amazing.

You're right about how hard it sometimes is getting executives to see how important security is to a company. Which is why examples come in so handy. So, the one thing about this that could be considered a silver lining is that tons of other companies are watching what's happening and thinking, "Gosh, maybe we should look at our own security, because we don't want to be the next SOE"

The problem is, that's a lesson that tends to be forgotten when it's time to write up the next budget.

I am looking forward to the show they will put on after this is over. Figure they will hire Bruce Scheiner and Theo DeRaadt. Fireworks. Maybe a hovercraft pulls up to Sony HQ and the team that took Bin Laden pours out, sets up a perimeter. Sony's CEO stomps onto the stage in a mecha and declares war on hackers. It is going to be amazing.

Corporate structures being what they are it simply isn't possible to communicate an intangible risk like 'what if a hacker breaks in and copies all our data' well enough to garner the kind of funding to implement real security. At least not at a company the size of Sony

I work for a company of roughly the same size, in a similar industry (hardware not content). I am currently one of the people in charge of validating our security measures. There are several of us, and I am likely near to bottom of that particular totem pole, yet I have the ability to stop the launch of the product I am working on at a cost of likely millions of dollars if I find an issue really late in the game. While the product may ultimately ship even if I find an issue, it will not ship till upper m

Yup.We do exercise the power and have done so more than once. That said, it wasn't always like that. Management got burned some number of years ago. They learned their lesson when forced to. But the core structure of how things work here has changed such that the "old ways" really can not come back.

Yup. Seen this many times in my own company.Talked about risks but until there was a break of some kind, it was ignored.

To be fair- they may hear about 100's of risks and how do they prioritize? Do they spend millions addressing risks which were over-ranked by their associates? You could go bankrupt that way and still get hit by what you thought was a lower priority risk that you put later in the chain.

I've actually seen a surprisingly lack of "I told you so". I figured it would be every second comment at this point...

Complete waste of time. We said it. Everyone knows it. Why bother to observe the obvious.
Oh, wait... You mean the network and security engineers at Sony who had been telling their bosses the needed a realistic budget for security. Yeah, I'd have expected those poor saps to have gone public by now.

That's because there's no point. People continue to buy Sony despite their antics. Those of us who know better avoid sony like a plague, and then watch, wait, and roll our eyes as another batch of people get screwed over.

As an owner of both the PS3 and 360, I called my bank and canceled my card last week, just in case. What really irratates me is that, at least through the web interface, you can not remove your credit card information from Microsoft's billing services - at least with an active Live Gold membership (depsite the fact the Live Gold account is already paid for)

Yup, and they will autorenew you too - even if the expiration on the card has passed. Yes, they did it to me! The card is now long gone and so is my "gold" membership and I doubt I'll ever buy another after the experience I had trying to cancel this one. Thankfully Sony doesn't have any such details from me...

This is actually the exact reason why I buy so few online games for the Xbox. I'd buy a lot more, but I don't want to leave Live subscribed when I'm not using it (because it costs money) and I don't want to activate it now because doing so means eventually I have to call their horrible customer service to cancel it.

Why is there no cancel button in the UI like there is in any sane product?

Last sony product I owned is a second hand trinitron, but there's nothing to feel superior about.With sony rootkit, the consumers were screwed. With this fiasco the consumers were screwed, and most of them don't know what a rootkit or an otheros is.

I haven't done business with Sony Online Entertainment at all for over a decade, and I'm apparently effected. I subscribed to Everquest way back in the day, but dropped somewhere around 2001. I just yesterday got an email from them that my personal information had been lost. So, don't feel so superior...even if you started boycotting them over the rootkits, they kept your information from before then, and then lost it to hackers.

Since it's been over a decade for me, I honestly can't remember - what information did they even collect for Everquest? Yeah, they'd have massively outdated address and phone information, but I consider that already essentially public information. What else, birth date? Certainly not mother's maiden name or SSN or anything along those lines. Does anyone remember?

I got my email as well, but its been probably 5 years since I played any game on there, and I signed up for EQ at launch. I'll double check the info today when I get a chance to make sure it is nothing important, ie old CC, change password etc.

Well, if they "decided to boycott" then that means they paid for Sony stuff beforehand and their equally at risk as they'd still have their info in the database. Otherwise they just decided to keep on doing exactly what they were doing anyways and their the type of internet people that would already be feeling superior about it anyways;)

I would lay my bet on "Sony doesn't want to tell anyone how bad it is" until they are required to do so. This is very much the same pattern of behavior we see with the Fukushima nuclear plant. Please believe me when I say that this behavior is quite typical of Japanese companies. It is not "diabolical" as you may think but is instead considered "wise" not to share information that is not required and may be potentially damaging to the company.

But to Sony I say "FEAR YOUR CUSTOMERS." You are not in control as much as you seem to think you are. They control the dollars in their pockets (though not necessarily those in their bank or credit accounts as you well know) and they choose what they buy from you. And when you make them angry, and you never know exactly who are are making angry, these anonymous customers, you just might make some who are dangerous to you very angry in the process.

I am guessing that this is a very focused attack on Sony. Was it because of their shoddy products? Their involvement in the recording industry? Their abuse of customers in general? It could be any or all of these things or more. So yeah, Sony... you forgot "the customer is always right" and that happy customers are your best customers.

And if other companies haven't figured out by now, "you are next" if you don't start taking care of your customers and keep abusing them as you do. I am speaking to AT&T, Verizon and any other company that is known for being abusive to customers. Just wait and see.

I'm just glad I pulled away from Sony so long ago. I didn't have much if any data at risk this time around, so I'm good to go for now. It's all good entertainment for me at the moment.

wow man that's harsh. you're saying that if a company doesn't give you good customer service, then somebody will hack the company, steal millions of account records, and cause millions if not more in damages and lost business?

If he's not, I will: yes, that's exactly correct. When companies piss enough people off, someone goes gunning for their servers. Neither erroneus nor I are claiming that this is the correct, moral, or legitimate response, just that it's a likely outcome. Sony and their peers have worked hard to remove all legitimate means of redress, and now people are pursuing the only avenues left open to the average guy without a few megadollars to futilely pursue them in court. What else would you expect to happen, real

wow man that's harsh. you're saying that if a company doesn't give you good customer service, then somebody will hack the company, steal millions of account records, and cause millions if not more in damages and lost business?

If he's not, I will: yes, that's exactly correct.

Really? You, or some other vengeful hacker will take it out on Sony by stealing from millions of other people? I don't think that's what you mean.

I think the theft of people's personal data was perpetrated by career criminals, not by wronged consumers.

This is very wrong.
As far as anyone can know there is no correlation between the GeoHot affair and this one.
Also if that personal data is exposed it'd harm large parts of that same comunity.
Unless this id theft was organized only to prove a point (which is very very unlikely imo), this is no more that a plain theft. As in made by criminals.
Only upside is that it exposed security issues, maybe as a lesson for the future. Or maybe not.

Well, to be fair, I wouldn't consider the guys(or girls?) that broke into Sony to be in the same category/class as GeoHot. I would say GH as no finacial interest in hacking some hardware pieces, but instead genuine knowledge interest in how it works, how to make do something it was not designed to do, etc. The other guys would just want to crack the safe, steal the goods, and get out.

How is it that you would see a causation there? If some GeoHot supporters would break into Sony, I believe it would be be

My conspiracy theory is that this attack was being planned for a long time and that GeoHot just happened to make the perfect scapegoat. Now Sony, and a large part of the gaming community, has someone to focus their wrath on and there's very little to prove the two events aren't connected.

Get it right. Hackers attacked Sony (and SOE), but while their PR got hurt and they have to spend some money on some security consultants, it's the USERS (past and present) that will be experiencing the brunt of the damage.

This is an attack on PEOPLE, not a company. If a company was the target, then corporate account information would have been hacked.

What's really funny is that this whole fiasco would have never happened if Sony hadn't decided to disable the OtherOS function on existing PS3s. This led to hackers breaking open the PS3, which hadn't happened so far because the people who were capable of such feats were happy with OtherOS - and then, it seems that with hacked PS3s, the Sony Online servers were hacked relatively quickly.

Just imagine - if they hadn't pulled that crap with OtherOS, the PS3 could probably have gone unhacked until it was retire

Did you miss the first line of TFA?"An anonymous reader writes with an update to yesterday morning's news that Sony Online Entertainment's game service..."I think I'm getting a sense of what might be going wrong with high-frequency trading...

First of all, you need to remember who's running this country, and it's not us. It's big corporations like Sony. They can essentially screw of all of us with impunity and if they go to far, the government gives them a slap on the wrist as a show of good faith to the people.

Consider the SEC. When they fine some trading company $20million for some illegal trading activities, do you really think that's a big deal? Of course not because they company made $100 or $200 million doing the illegal trade. To them, th

I've used Sony Online Entertainment for a decade. I generally do not purchase new Sony products. I have yet to receive anything from Sony indicating that my information may have been stolen. I know they have my correct email because I recently contacted them and they replied to me. I would be weary of anything sent to you. You should ensure you verify the "party" sending you the notices.

Aside from that, I do find it a bit disingenuous that Sony is making a PR announcement that basically says that "your